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What are Gadgets 

• Little applications that run on your Windows 
desktop 

• For instance: 
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A little bit of history 

Windows XP - Concept first introduced as 
"Active Desktop" 

o Allowed you to put updating content on your desktop. 

Vista - Sidebar introduced, first mention of 
"gadgets" 

o Gadgets ran in the sidebar "container" couldn't be placed 
randomly on the desktop 

Windows 7 - significant changes 

o Improvements in management: 
o Gadgets now can be anywhere on the desktop 
o All gadgets run in a single process 
o Addition of the enterprise security features 
o Also - New stuff to help in development 


Why this still matters 


Gadget use is in decline 

But! This style of app development is taking 
off 

o Container-based apps for smartphones that allow you 
to do all your dev in HTML, XML, Javascript, etc... 


Windows Vista Sidebar 





Windows 7 Gadgets 



















Creating Gadgets 

• Just a zip file 


Creating 


Usually just a 
web app 

o html 
o css 

o javascript 
o gadget specific 
manifest file 

Can also be WPF 
or Silverlight 


Name 

n ess 
Images 

js 

a about.html 
a flyout.html 

gaclget.html 
gaclget.xml 
iV*) nyancat.gif 
iJ'i NyanCat.mp3 
settings.html 


Type 

File folder 
File folder 
File folder 
HTML Document 
HTML Document 
HTML Document 
XML Document 
GIF image 
MP3 Format Sound 
HTML Document 





Gadget Security Model 


MSFT provides a detailed explanation 

o (see references) 


• Code signing is possible but not required 

• Prompt for install similar to standard 


applications: 

Windows Sidebar - Security Warning |«E3»1 


The publisher could not be verified. Are you sure you want to 
install this gadget? 



Name: DigitalClockfl].gadget 

Publisher: Unknown Publisher 



Install | | Don't Install j 



This file does not have a valid digital signature that verifies its 
publisher. You should only run software from publishers you 
trust. How can I decide what software to run? 










Gadget Security Model 


Most similar to HTA - HTML Applications 

Basically run in "Local Machine Zone" with 
some differences: 

o Can instantiate any installed ActiveX object 
o UAC 

■ Runs as standard user even if the user is part of 
the admin group 

■ Can't raise UAC prompts BUT! apps launched by 
gadget can 

Parental Controls apply 


Gadget Security Model 

Some enterprise controls available 

o Turn off Windows Sidebar, 
o This policy allows administrators to completely 
disable the Windows Sidebar, 
o Disable unpacking and installation of gadgets that are 
not digitally signed. 

■ Only affects gadgets that are downloaded and 
installed by double-clicking on the gadget 
package. All previously installed gadgets, as well 
as those installed manually, will still function, 
o Turn off user-installed gadgets, 
o Override the "Get more gadgets online" link. 


Attack Surface 

Attacking with gadgets 
Attacking gadgets 



Attacking with gadgets 

Delivery: 



o Install this gadget? Sure! 

Sidebar gadgets aren't perceived as being 
dangerous software or even software at all 






Attacking with gadgets 

So I installed your gadget, so what? 
I can't do much, just this: 
o Execute code 
■ Game over 
Also: 

o Open URLs 

o Create files with arbitrary content 
o Read files 

o Make your computer speak 



Attacking with gadgets 

Demo time 



Attacking Gadgets 

Gadgets are code. Therefore gadgets are 
vulnerable 

Step 1 - Search for gadgets 
Step 2 - Analyze 
Step 3 -... 

Step 4 - Profit (and share the findings) 


Attacking Gadgets 


LOTS of malware claiming to be gadgets 
Minimal use of SSL 

Lots of ad server connections (no ads 
displayed) 

o And domain parking sites 

A couple primary producers, shared code 
between gadgets 

o If you find something in one, it's probably in the others 


Attacking Gadgets 


• Poor security practices, easy targets 
o Multiple ways to inject code 
o Default Permissions is "full" 


• Traffic sniffing 

• Easy to spot 

o (x64) 










Attacking Gadgets - Traffic Sniffing 

SSL is haaaaard 

All downloaded gadgets pulled most of their 
content w/o SSL 

Including updated gadget code in some 
cases 


Attacking Gadgets - MitM 


There are not many gadgets out there, 
capturing their requests is simple. (AirPwn) 

Using a custom simple proxy to automate 
injection. 

Demo 


Attacking Gadgets - Code Injection 


Any web scripting language 

o Or powershell 

Demo 


What to do about it? 


Code is code 

o Remember not to take candy from strangers 
Write applications properly 
Microsoft’s solution 


Microsoft Solution 

•Security Advisory 2719662 

• “Microsoft is aware of vulnerabilities in insecure Gadgets affecting 
the Windows Sidebar on supported versions of Windows Vista and 
Windows 7” 

•Fix It Solution 

• Engineering solution that removes the attack vector 

•Moving away from the Windows Sidebar and 
towards the Windows Store. 

• Deprecated the Windows Gadget Gallery 

• Updated developer documentation 



Prior Work 

Standing on the shoulders of giants 

• CVEs 

o CVE 2007-3032 
o CVE 2007-3033 
o CVE 2007-3891 

• Presentations 

o The Inherent Insecurity of Widgets and Gadgets - 
Aviv Raff, Ian Amit 

o Jinx - Malware 2.0 - Itzik Kotler, Jonathan Rom 
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• Gadget Security Model 

o http://msdn.microsoft.com/en-us/librarv/ff486358.aspx 

• Writing Secure Gadgets 

o http://msdn.microsoft.com/en- 
us/librarv/bb498012.aspx 
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